Print Download PDF Send Feedback

Previous

Next

Initial Configuration

In This Section:

Licenses

Initial Configuration of SmartEvent and SmartReporter Clients

Enabling Connectivity with Multi-Domain Security Management

Incorporating Third-Party Devices

SmartEvent and SmartReporter components require secure internal communication (SIC) with the Management server, either a Security Management Server or a Domain Management Server.

Once connectivity is established, install SmartEvent and SmartReporter and perform the initial configuration.

Licenses

Check Point software is activated with a License Key. You can obtain this License Key by registering the Certificate Key that appears on the back of the software media pack, in the Check Point User Center.

The Certificate Key is used in order to receive a License Key for products that you are evaluating.

In order to purchase the required Check Point products, contact your reseller.

Check Point software that has not yet been purchased will work for a period of 15 days. You are required to go through the User Center in order to register this software.

  1. Activate the Certificate Key shown on the back of the media pack via Check Point User Center.

    The Certificate Key activation process consists of:

    • Adding the Certificate Key
    • Activating the products
    • Choosing the type of license
    • Entering the software details

    Once this process is complete, a License Key is created and made available to you.

  2. Once you have a new License Key, you can start the installation and configuration process. During this process, you will be required to:
    • Read the End Users License Agreement and if you accept it, select Yes.
    • Import the license that you obtained from the User Center for the product that you are installing.

    Licenses are imported via the Check Point Configuration Tool.

    The License Keys tie the product license to the IP address of the SmartEvent server. This means that:

    • Only one IP address is needed for all licenses.
    • All licenses are installed on the SmartEvent Server.

Initial Configuration of SmartEvent and SmartReporter Clients

The final stage of getting started with SmartEvent and SmartReporter is the initial configuration of the clients. After you install SmartConsole according to the instructions in the R77 Release Notes and R77 Installation and Upgrade Guide:

  1. For SmartEvent:
    • Define the Internal Network and Correlation Units
    • Install the Event Policy

    Events will begin to appear in the SmartEvent client.

  2. For SmartReporter, create consolidation sessions.

    Logs will now be created and sent to the SmartReporter database. As a result, reports can be created.

Defining the Internal Network for SmartEvent

To help SmartEvent determine whether events have originated internally or externally, the Internal Network must be defined. Certain network objects are copied from the Management server to the SmartEvent Server during the initial sync and updated afterwards periodically. Define the Internal Network from these objects.

To define the Internal Network, do the following:

  1. Start the SmartEvent client.
  2. From the Policy view, select General Settings > Initial Settings > Internal Network.
  3. Add internal objects.

    Note - It is recommended to add all internal Network objects, and not Host objects.

Defining SmartEvent Correlation Unit and Log Servers for SmartEvent

  1. From the Policy view of the SmartEvent client, select General Settings > Initial Settings > SmartEvent Correlation Unit.
  2. Select Add.
  3. Click the [...] symbol and select a SmartEvent Correlation Unit from the displayed window.
  4. Select OK.
  5. Click Add and select the Log Servers available as data sources to the SmartEvent Correlation Unit from the displayed window.
  6. Select Save.
  7. From the Actions menu, select Install Events Policy.

Once the SmartEvent Correlation Unit and Log Servers are defined, and the Events Policy installed, SmartEvent will begin reading logs and detecting events.

To learn to manage and fine-tune the system through the SmartEvent client, see SmartEvent client.

Creating a Consolidation Session for SmartReporter

The consolidation session reads logs from the Log Server and adds them to the SmartReporter database. If there is a single Domain Log Server connected to a Security Management Server, a consolidation session will automatically be created to read newly generated logs. If multiple Log Servers connect to one management server, users must manually define consolidation sessions for each Log Server.

When creating a Consolidation session you are determining the Log Server that should be used to extract information and the database table in which the consolidated information should be stored.

  1. In the Selection Bar view, select Management > Consolidation.
  2. Select the Sessions tab.
  3. Click the Create New... button to create a new session.

    The New Consolidation Session - Select Domain Log Server window appears.

  4. Select the Log Server from which logs will be collected and will be used to generate reports.
  5. Click Next.

    The New Consolidation Session - Select Log Files and database for consolidation session window appears.

  6. Choose whether to use the default source logs and default database tables or select specific source logs and specific database tables for consolidation.

If you select Select default log files and database, click Finish to complete the process. This option indicates that the source of the reports will be preselected logs and all the information will be stored in the default database table named CONNECTIONS. The preselected logs are the sequence of log files that are generated by Check Point products. The preselected logs session will begin at the beginning of last file in the sequence or at the point the sequence was stopped.

If you want to customize the Consolidation session, refer to the R77 SmartReporter Administration Guide.

Enabling Connectivity with Multi-Domain Security Management

In a Multi-Domain Security Management environment, the SmartEvent Server can be configured to analyze the log information for any or all of the Domain Management Servers on the Multi-Domain Server. In order to do this, the SmartEvent Server database must contain all of the network objects from each of the Domain Management Servers and then be configured to gather logs from the selected Domain Log Servers.

Preparing SmartEvent in the Multi-Domain Server Environment

To connect SmartEvent to one Domain, define the SmartEvent object in the SmartDashboard of the Domain.

This procedure shows how to connect SmartEvent to all Domains.

To connect SmartEvent to all Domains:

The first stage configuring SmartEvent is to establish connectivity between the components.

  1. Launch Global SmartDashboard to the Multi-Domain Server.
    1. In SmartDashboard, create a new host for each computer that contains a component of SmartEvent:
    2. Select Manage > Network Object > New > Check Point > Host.
    3. In the General Properties window, click Communication and enter the activation key.

    Note - If the Multi-Domain Server and SmartEvent are installed on different sides of the firewall, add a rule that allows SIC traffic between them.

    1. The version is not entered automatically if the SmartEvent version is newer than the version of the Multi-Domain Server. If so, select the most recent version available from the Version drop-down list.
    2. In the Management Software Blades list, select SmartEvent.
  2. Select Close and OK.
  3. From the File menu, select Save.
  4. From the SmartDomain Manager:
    1. Assign a Global Policy on all Domain Management Servers participating with SmartEvent.
    2. For each Domain Management Server participating with SmartEvent, open its SmartDashboard, select Policy > Install Database, and select only the Log Servers and the Domain Management Server from which you want the SmartEvent Intro to read logs.

Enabling Connectivity with the Multi-Domain Server

  1. Open the SmartEvent Intro client
  2. Go to Policy tab > General Settings > Objects > Customers
  3. Add all the Domain Management Servers with which you will be working.
  4. Objects will be synchronized from the Domain Management Servers. The synchronization progress can be monitored from the status window in the Overview pane.

Defining the Internal Network for SmartEvent

To help SmartEvent Intro determine whether events originated internally or externally, the Internal Network must be defined. Certain network objects are copied from the management server to the SmartEvent Intro server during the initial synchronization and updated afterwards periodically. Define the Internal Network from these objects.

Note - If running SmartEvent Intro in a Security Management Server environment, the internal network will be defined automatically from firewall topology information. You can customize the internal network definition

In a Multi-Domain Security Management environment, define an internal network for each Domain Management Server.

To define the Internal Network:

  1. Start the SmartEvent Intro Client.
  2. From the Policy view, select General Settings > Initial Settings > Internal Network.
  3. Add objects (hosts, networks, groups, IP ranges) that define your environment's internal network.
04 June 2017 © 2017 Check Point Software Technologies Ltd. All rights reserved.